Plugin download fails / plugin version is not up-to-date

Created by Sebastian Lackner on on 2013-12-16
Keywords:
Last updated by:
Sebastian Lackner on on 2013-12-16

We usually have the goal to push out new versions of pipelight as soon as possible after a plugin release - nevertheless we understand that even that is not fast enough for all users! It can be especially annoying when a plugin download doesn't work anymore since the provider has changed the URL and/or content.

With pipelight version 0.2.3 we've introduced an easier way to update the plugin database. Just run:

sudo pipelight-plugin --update

This will fetch the latest script from our server, verify that its really signed by the Pipelight Dev Team (we use a 4096 Bit GPG key to ensure that noone else is able to mess around with plugin updates), and update your local version.

If you would like to have everything automated: The easiest way is to add this command to your list of cronjobs. Please take a look at the documentation of your distribution what is the regular way to automate this.

.

What if updating doesn't help?
------------------------------------------

If it doesn't help this most probably means that we have not noticed the update yet. Feel free to poke us on #pipelight / freenode (for example with this webchat: http://webchat.freenode.net/?channels=%23pipelight ). As soon as we read this message we will push an updated version to the repository, such that it is available for download immediately. If its an security related update a new full pipelight version will be pushed out shortly afterwards.

.

Technical details
-----------------------

The install-dependency script containing the plugin database is hosted in our main repository:
https://bitbucket.org/mmueller2012/pipelight/src/master/share/?at=master

The 4096 bit key used to generate the signed version was generated only for this purpose, the corresponding public key is also available in the repository and called signature.gpg. The signed version will be created (half) automatically via a git pre-commit hook whenever we update install-dependency, so they both should always stay in sync.

The version available in the "master" branch will only contain plugin updates, but NO additional new features (except immediately before a new release).

Some additional notes:

* The install-dependency script is designed to be distribution independent, it doesn't use any other external dependencies. @Maintainers: Please provide the signature and the install-dependency script in an unmodified form! Everything can also be configured via ./configure or the configuration files.

* We currently have no verification that git delivers you really the latest install-dependency script. A hacker could theorically somehow intercept the SSL connection (if its weak) or modify the repository content to an older version. Since this would only work with versions signed by us we do not (yet) consider this problem very critical. The install-dependency script always checks the downloaded files against included sha256sums, which would also detect when a plugin has been replaced with malware in the meantime.

* When using a sandbox (currently still EXPERIMENTAL!) the install-dependency script will be sandboxed, too.